Go to ICLR 2026 Conference homepageCertifying Graph Neural Networks Against Label and Structure Poisoning
Keywords: graph learning, robustness, robustness certification, graph machine learning, poisoning, provable robustness, self-training, semi-supervised learning, graph neural networks
TL;DR: We make certifying robustness in graph learning against node-label and structure poisoning work.
Abstract: Robust machine learning for graph-structured data has made significant progress against test-time attacks, yet certified robustness to poisoning – where adversaries manipulate the training data – remains largely underexplored. For image data, state-of-the-art poisoning certificates rely on partitioning-and-aggregation schemes. However, we show that these methods fail when applied in the graph domain due to the inherent label and structure sparsity found in common graph datasets, making effective graph-partitioning difficult. To address this challenge, we propose a novel semi-supervised learning framework called deep Self-Training Graph Partition Aggregation (ST-GPA), which enriches each graph partition with informative pseudo-labels and synthetic edges, enabling effective certification against node-label and graph-structure poisoning under sparse conditions. Our method is architecture-agnostic, scales to large numbers of partitions, and consistently and significantly improves robustness guarantees against both label and structure poisoning across multiple benchmarks, while maintaining strong clean accuracy. Overall, our results establish a promising direction for certifiably robust learning on graph-structured data against poisoning under sparse conditions.
Primary Area: learning on graphs and other geometries & topologies
Submission Number: 25031
Loading